NSIGHT SERIES May 2020 — Issue 5

Home , Dark web, Dream Market, Freenet, Orbot, Telegram in Iran, ZeroNet

The Decline of the Dark Web How Mobile Solutions have Disrupted the Dark Web

The dark web is in decline. Once the preferred means for anonymizing users’ online activity, the dark web has now been supplanted by encrypted mobile applications and alternate solutions. Similarly, aggressive law enforcement actions have shuttered many of the dark web’s largest forums, making it a much more fleeting and much less secure destination for criminal activity. As a result, the number of users accessing dark web sites has dropped.

Instead, many users are connecting through the dark web via mobile applications on Android and iOS, rather than to the dark web via standard browsers, to obfuscate their internet traffic. Indeed, the number of users accessing the Tor network has increased, even as the number of users accessing hidden Dark web platforms such as The Onion Router (Tor), I2P, service sites—the “dark” part of the dark web—has dropped. Freenet, and Zeronet, attempt to anonymize users’ digital Moreover, encrypted applications like Telegram, Signal, fingerprint so that technical attributes like IP addresses are and Wickr.me have lowered the barrier to entry for secure not easily available to entities with intent to track users’ communication and illicit transactions. As a result, just like online activity. This emphasis on anonymity was designed to many other industries, the dark web has been disrupted keep the dark web free from oversight, free from censorship, by technological innovation and aggressive competition, and open to anyone in any location. The developers of Tor, triggering a gradual decline and turning the so-called the most popular dark web platform, promote it as a tool invisible internet even more opaque. to combat oppression and connect people who might not otherwise have open access to the internet. A substantial What is The Dark Web? percentage of Tor users come from countries like Iran, China, and Russia, where governments have restricted the The “dark web” refers to parts of the internet that require content its citizens can access. Major news outlets, sites like the use of special tools or routing protocols to access. Facebook, and even U.S. federal agencies maintain websites By comparison, the clear or surface web does not require on the dark web so its users can securely communicate from any special tools to access (think, espn.com or cnn.com). A countries where free speech is controlled. traditional web browser, unless specially configured, cannot connect users to a dark web “hidden service” site. These sites However, the lack of oversight has earned the dark web a rely on specific encryption and routing protocols to protect reputation as a haven for criminals looking to sell drugs, users’ identities. stolen identities, and other illicit services. Illegal transactions largely occur on dark web markets, which make up some of fixes for issues difficult. For example, The Tor Project recently Tor’s most popular hidden service sites. These markets are released an update that patched a major vulnerability that populated by hundreds of vendors and buyers, all of whom had been taking hidden service sites offline for years. The bug have learned how to operate specialized programs that keep was so well-known by the time it was addressed that a free- their identities hidden. To operate on a dark web market, to-use dark web denial-of-service (DOS) tool meant to exploit a user must create an account which is usually linked to a the bug had been available on Github for four years. secure dark web email address. They can then buy and sell content using cryptocurrency, provided they’ve established a Feeling Around in The Dark Web crypto wallet and obtained digital funds without linking them to their personal information. If a user attempts to acquire The lack of centralized information, coupled with a lack illegal goods from these markets without practicing proper of trust in fellow dark web users, has made it difficult for operational security, they risk compromising not only their the dark web community to collectively evolve, or create funds, but also their identity. a set of tools equivalent to those on the clear web. While the dark web has a few options for search engines, none A lack of oversight has also made it difficult for developers to are particularly effective. There are dozens of social media create and promote dark web resources. Due to its criminal sites that prioritize privacy being offered, but none has connotation, clear web sites are reluctant to post content gained enough notoriety to attract a wide user base. This, that links its viewers to potentially illicit hidden service sites in turn, means they aren’t advertised in community forums, on the dark web. Resources dedicated to the dark web are and ultimately have little chance of attracting a wider user routinely targeted by law enforcement entities and shut base in the future. Marketplaces and community forums down, so anyone interested in learning about how to operate have maintained their popularity on the dark web primarily on the dark web will need to look through community forums, because they offer the illicit goods and services without archived pages, and posts on social media. content censorship that could not easily be found elsewhere.

Unlike many popular clear web services, security patches, Even the dark web’s most visited markets are having updates, and improvements to Tor are released slowly and trouble staying active as law enforcement entities around sporadically, as the organization responsible for the browser, the world begin to dedicate substantial resources towards the Tor Project, has a limited number of resources. The conducting effective cyber investigations. From original anonymous nature of Tor makes identifying and implementing marketplaces like Silk Road, to recent marketplaces like

©2020 Ntrepid LLC. All rights reserved. Ntrepid LLC Proprietary Information. 5-20-001 In an environment where Tor and the dark web once offered some control over the information users shared over the internet, secure messaging apps have begun to gain traction. Platforms like Signal, Telegram, and Whatsapp all offer options to encrypt communications between users and prevent unintended parties from intercepting content. While the user has less control over configurations on mobile devices than they would through Tor on a standard computer, these apps allow anyone with a smartphone to create secure accounts quickly and with little effort.

Just as with Tor on the dark web, mobile platforms that were developed to facilitate free speech are gradually being co-opted by groups with criminal intent. Apps like Telegram have been targeted by extremist groups who have graduated Alphabay and Dream Market, hidden service sites offering from the dark web to mobile services in order to expand their illegal content are routinely targeted and taken down as reach to a larger audience. Telegram, intentionally or not, soon as they gain prominence. Many markets that attempt to has become a platform where radical users can connect and fill the vacuum have “exit scammed”—a fraudulent practice spread extremist ideology. Thanks to its privacy-focused wherein market admins or other actors appear to be running infrastructure, these users are able to create closed groups a market or providing a service but are in fact stealing users’ and channels full of encrypted content that can only be cryptocurrency before shutting down their site—before they accessed by invitation. They can also create public channels are caught by law enforcement. The constant uncertainty, to broadcast read-only messages as a supplement to high level of risk, and lack of continuity make dark web recruitment and indoctrination campaigns. markets less attractive each year. Secure communication platforms on mobile devices, however, present an interesting Groups ranging from Islamic extremists like IS and Al alternative. Qaeda to white supremacists and neo-nazis have migrated from hidden service sites on Tor to groups and channels The Rise in Alternate Solutions on Telegram. Instead of targeting only users technically proficient enough to avoid compromising themselves on Mobile devices are simplifying how users access web- the dark web, these extremists now have access to 200 based services. Smartphone owners have a connection to million active monthly users through an easily downloadable the internet in their pockets at all times, and this connection smartphone app. Users looking for stronger privacy is available to millions of people that don’t have access to features can try apps like Signal and Wickr, which offer a standard computer or home internet service. There are end-to-end encryption and require little to no verifiable approximately 3.5 billion smartphone users worldwide as of personal information. These also offer users the ability to 2020, and it’s estimated that around sixty percent of annual create self-destructing messages so that any incriminating web traffic now comes from mobile devices. People are able conversations are inaccessible to law enforcement. These to share more of their lives from more places than ever, and messaging apps are a popular supplement for vendors of that’s put a renewed emphasis on securing users’ privacy. illicit goods who want to talk directly to customers or conduct business outside of Tor’s dark web markets.

©2020 Ntrepid LLC. All rights reserved. Ntrepid LLC Proprietary Information. 5-20-001 The Tor Project is working to adapt to this new mobile- enforcement. Law enforcement take downs of popular dark focused environment. The organization recently released web markets and resources will prevent an increase in hidden an app for the Android mobile operating system and service site usage. Users looking for platforms that advocate recommends the Orbot app for users on an iOS device. privacy and free speech will increasingly transition to secure These apps allow users to not only visit hidden service sites messaging apps and mobile services. There they can easily from their smartphone, but also lets them route their clear secure their communications and browsing with encrypted web traffic through Tor’s relays in order to obscure some messaging apps and mobile optimized versions of Tor. These of their technical indicators. Documentation published by mobile platforms are also available to millions of users the IS-linked Electronic Horizons Foundation encourages worldwide who do not have access to standard computers its followers to browse Facebook and Twitter through with a Tor browser. Tor’s mobile app but directs its users to a list of secure messaging apps for group communication. High-profile white The massive number of smartphone users, the ability to supremacist terrorist groups like the Atomwaffen Division download and operate mobile apps with relative ease, and (AWD) maintain a hidden service site but, because most of the the security offered by content encryption are just a few community operates on apps like Telegram, their messages notable reasons why the dark web is in decline. In response often need to be reposted in popular white supremacist to this disruption, the Tor Project and other dark web services channels on the app. The group was recently subjected to have released mobile solutions of their own, but they’re still internal fracturing in part because the original members of only partial measures. The most sensitive or illicit activity AWD did not establish presence on Telegram before a splinter is increasingly occurring on end-to-end encrypted mobile group in the organization laid claim to the official channel. applications. As a result, the dark web, once an unpoliced and assumedly anonymous bastion for illegal activity, is today The Decline of the Dark Web on its way to dying a slow death in favor of simpler, more accessible mobile solutions. Due to the relative difficulty associated with creating, maintaining, and marketing a hidden service site on the Tor network, traditional utilization of sites on the dark web will continue to decrease. The dark web’s reputation as a haven of criminal activity will ensure it remains a target for law

About Ntrepid Ntrepid’s suite of managed attribution products enable organizations to safely conduct their online activities. We are dedicated to understanding the challenges our customers face in order to build environments to facilitate secure operations in the most hostile network environments and against the most sophisticated opponents. We are proud to support Fortune 500 companies in the financial and healthcare sectors and customers across the national security community.

www.ntrepidcorp.com 1.800.921.2414 [email protected]

Ntrepid’s Nsight Series analyzes emerging trends, challenges, and technologies that impact your online operations—all from the perspective of better managing your online attribution.